Debians sikkerhedsbulletin

DSA-2111-1 squid3 -- lammelsesangreb

Rapporteret den:

19. sep 2010

Berørte pakker:

squid3

Sårbar:

Referencer i sikkerhedsdatabaser:

I Debians fejlsporingssystem: Fejl 596086.
I Mitres CVE-ordbog: CVE-2010-3072.

Yderligere oplysninger:

Phil Oester opdagede at Squid-3, en komplet webproxycache, var sårbar over for et lammelsesangreb (denial of service) via en særligt fremstillet forespørgsel, der indeholdt tomme strenge.

I den stabile distribution (lenny), er dette problem rettet i version 3.0.STABLE8-3+lenny4.

I distributionen testing (squeeze), vil dette problem snart blive rettet.

I den ustabile distribution (sid), er dette problem rettet i version 3.1.6-1.1.

Vi anbefaler at du opgraderer dine squid3-pakker.

Rettet i:

Debian GNU/Linux 5.0 (lenny)

Kildekode:: http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4.diff.gz; http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4.dsc; http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/s/squid3/squid3-common_3.0.STABLE8-3+lenny4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_alpha.deb; http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_alpha.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_alpha.deb
AMD64:: http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_amd64.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_amd64.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_amd64.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_i386.deb; http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_i386.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_ia64.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_ia64.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_ia64.deb
Little-endian MIPS:: http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_mipsel.deb; http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_mipsel.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_powerpc.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_powerpc.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_powerpc.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/s/squid3/squidclient_3.0.STABLE8-3+lenny4_sparc.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3_3.0.STABLE8-3+lenny4_sparc.deb; http://security.debian.org/pool/updates/main/s/squid3/squid3-cgi_3.0.STABLE8-3+lenny4_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.